Client Awarded 2.61 Million Dollars In Aerojet Cybersecurity FCA Case
On July 8, 2022, the DOJ announced the settlement of a Cybersecurity False Claims Act case filed by Thyberglaw on behalf of client, Brian Markus, against Aerojet Rocketdyne. The terms of the settlement required that Aerojet Rocketdyne pay the government 9 million dollars, out of which Markus will receive 2.61 million dollars, to settle allegations that Aerojet fraudulently induced the government to enter contracts related to advanced space and military technology while making false statements about its compliance status with legally mandated and contractually required cyber security controls. The Aerojet case has been referred as a landmark false claims act cybersecurity case as it was the first case to use the false claims act to enforce the minimum DFARS and NASAFARS cybersecurity standards government contractors are required to follow if they are awarded a contract that will require that they store the government’s sensitive information related to military or space technology on their computer network. Since the filing of this case, the DOD has revised its regulations as to how contractors demonstrate their compliance with the DFARS Cybersecurity regulations. The DOJ has announced its cyber fraud initiative stating that the government will use the false claims act as a tool to hold contractors accountable if they enter contracts while misrepresenting their compliance status with cybersecurity regulations. The Aerojet cybersecurity false claims case filed by Thyberglaw on behalf of Markus as the relator has been cited as the template for false claims act cybersecurity cases going forward. The legal theories first asserted in the Aerojet Rocketdyne cybersecurity false claims case can be applied to cybersecurity false claims cases in other areas including healthcare providers who engage in government contracts to provide services that require they meet minimum cybersecurity standards to protect a patient’s health information. Any contract that requires that a government contractor meet minimum cybersecurity standards to protect sensitive information can form the basis for a cybersecurity false claims act case going forward if the contractor concealed its non-compliance federal cybersecurity regulations or made false statements about it cybersecurity compliance status to the government as was alleged by Markus in the Aerojet Rocketdyne case. Relators, like Markus, who act is a whistleblower in a cybersecurity false claims case can potentially receive a share of 15 to 30% of the amount recovered by the government against a contractor in a cybersecurity false claims case.